Lab 4 ARP and DNS Cache Poisoning v1.4
Lab 4 ARP and DNS Cache Poisoning v1.4
1. Kali Linux VM
2. Debian Linux VM as a Client
3. Debian Linux VM as a Server
Table of Contents
ARP and DNS Cache Poisoning..................................................................................................................1
Understanding TCP/IP based Attacks........................................................................................................4
Lab Environment Setup.........................................................................................................................................................................4
..................................................................................................................13
Step 1: Use the following command to change the configuration of etter.dns..................................................................................13
Step 2: Navigate to the end of the file and insert the following.........................................................................................................13
Student Task 7:....................................................................................................................................................................................14
Step 3: Clear the cache of Firefox and run Firefox in private window................................................................................................15
Step 4: Run Ettercap dns spoof using following command.................................................................................................................17
Student Task 8:....................................................................................................................................................................................17
In this lab we will gain first-hand experience on TCP/IP vulnerabilities, as well as attacks against these vulnerabilities.
Vulnerabilities of the TCP/IP protocols occur at several layers. This lab is we will be exploiting ARP which is Layer 2
protocol and DNS which is Layer 7 protocol.
To conduct this lab, we need 3 VMs connected in NAT Network. The tools being used for this lab are Netwox/Netwag,
Ettercap and SET.
LAB
ENVIRONMENT
Reference: http://ntwox.sourceforge.net/
The ARP cache is an important part of the ARP protocol. Once a mapping between a MAC address and an IP address
is resolved as the result of executing the ARP protocol, the mapping will be cached. Therefore, there is no need to
repeat the ARP protocol if the mapping is already in the cache. However, because the ARP protocol is stateless, the
cache can be easily poisoned by maliciously crafted ARP messages. Such an attack is called the ARP cache poisoning
attack.
Attackers may use spoofed ARP messages to trick the victim to accept an invalid MAC-to IP mapping, and store the
mapping in its cache. There can be various types of consequences depending on the motives of the attackers. For
example, attackers can launch a DoS attack against a victim by associating a non-existent MAC address to the IP
address of the victim’s default gateway; attackers can also redirect the traffic to and from the victim to another
machine, etc.
sudo arp -a
Step 4: After verifying the connectivity, check the ARP table of client.
sudo arp -a
You can see that MAC address of server has been mapped with IP of server in ARP cache.
If you see an error that apache is not found, please install Apache2 server
using following command
***********************************************************************************************
Student Task 1:
Provide the screenshot of the command:
***********************************************************************************************
Step 6: Go to the client machine and Open a browser and type the IP of server
Step 7: To perform ARP cache poisoning we will use netwag in Attacker VM.
sudo netwag
You can see that IP of server has been mapped to MAC address of Attacker machine. We have successfully poisoned
the ARP cache.
Step 10: Try to access apache2 webpage using the IP of the server.
You need to clear cache and browser history of Firefox first. Look at this link how to do it: LINK
***********************************************************************************************
Student Task 2:
Provide the screenshot of the output and briefly explain the output.
***********************************************************************************************
Step 11: Run the following command to enable 2nd IP on eth0 on Attacker
machine
***********************************************************************************************
Student Task 3:
Provide screenshot of the interface eth0 with 2 IPs.
***********************************************************************************************
sudo setoolkit
Social-Engineering Attacks
Website Attack Vectors
Credential Harvester Attack Method
Web Templates
Use the IP of Attacker
Use Google as templates
***********************************************************************************************
Student Task 4:
***********************************************************************************************
Step 2: After successfully running SET, go to the Client’s browser and type
Server IP
***********************************************************************************************
Student Task 5:
a) Briefly explain what you have noticed.
b) Provide screenshot.
***********************************************************************************************
If yes than congratulations, you have successfully redirected the web request which was for server
to the attacker.
***********************************************************************************************
Student Task 5:
Now try with Email as Your name and Password as your learner number and provide screenshot below.
***********************************************************************************************
“DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt
Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an
incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer (or any
other computer).”
Reference: https://en.wikipedia.org/wiki/DNS_spoofing
***********************************************************************************************
Student Task 6:
Briefly explain what DNS is?
***********************************************************************************************
Ettercap
“Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for
computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including
Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network
segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its
original developers later founded Hacking Team.”
Reference: https://en.wikipedia.org/wiki/Ettercap_(software)
Web: https://www.ettercap-project.org/
Step 2: Navigate to the end of the file and insert the following
Save and Exit the file. By now you might have been master on it �
***********************************************************************************************
Student Task 7:
What will happen if you uncomment 3 rd line?
***********************************************************************************************
Step 3: Clear the cache of Firefox and run Firefox in private window.
Select Everything
***********************************************************************************************
Student Task 8:
Provide the screenshot of the command entered.
***********************************************************************************************
Step 1: Use the browser of Client machine and type the following
www.google.com
Email: [email protected]
***********************************************************************************************
Student Task 9:
Provide the screenshot of the terminal running SET with the credentials captured.
***********************************************************************************************
***********************************************************************************************
***********************************************************************************************